From 8514c30f01eb4395d034474a97bdc3798a9d45b0 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Sun, 18 Aug 2024 04:56:14 +0900
Subject: [PATCH] Set rewrite-timestamp=true

Part of docker-library/official-images issue 16044

This exporter option rewrites the timestamps of the files inside image layers
to use $SOURCE_DATE_EPOCH so as to increase reproducibility.

https://github.com/moby/buildkit/blob/v0.15.2/docs/build-repro.md#source_date_epoch

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 .test/meta-commands/out.sh | 4 ++--
 meta.jq                    | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/.test/meta-commands/out.sh b/.test/meta-commands/out.sh
index cf8cc9a..1ad1377 100644
--- a/.test/meta-commands/out.sh
+++ b/.test/meta-commands/out.sh
@@ -6,7 +6,7 @@
 SOURCE_DATE_EPOCH=1700741054 \
 	docker buildx build --progress=plain \
 	--provenance=mode=max,builder-id='https://github.com/docker-library' \
-	--output '"type=oci","dest=temp.tar"' \
+	--output '"type=oci","dest=temp.tar","rewrite-timestamp=true"' \
 	--annotation 'org.opencontainers.image.source=https://github.com/docker-library/docker.git#6d541d27b5dd12639e5a33a675ebca04d3837d74:24/cli' \
 	--annotation 'org.opencontainers.image.revision=6d541d27b5dd12639e5a33a675ebca04d3837d74' \
 	--annotation 'org.opencontainers.image.created=2023-11-23T12:04:14Z' \
@@ -145,7 +145,7 @@ SOURCE_DATE_EPOCH=1709081058 \
 	--provenance=false \
 	--build-arg BUILDKIT_DOCKERFILE_CHECK=skip=all \
 	--sbom=generator="$BASHBREW_BUILDKIT_SBOM_GENERATOR" \
-	--output 'type=oci,tar=false,dest=sbom' \
+	--output 'type=oci,tar=false,dest=sbom,rewrite-timestamp=true' \
 	--platform 'linux/amd64' \
 	--build-context "fake=oci-layout://$PWD/temp@$originalImageManifest" \
 	- <<<'FROM fake'
diff --git a/meta.jq b/meta.jq
index 947531e..e1a06f3 100644
--- a/meta.jq
+++ b/meta.jq
@@ -149,6 +149,7 @@ def build_command:
 						[
 							"type=oci",
 							"dest=temp.tar", # TODO choose/find a good "safe" place to put this (temporarily)
+							"rewrite-timestamp=true",
 							empty
 						]
 						| @csv
@@ -329,7 +330,7 @@ def build_command:
 						"--load=false", "--provenance=false", # explicitly disable a few features we want to avoid
 						"--build-arg BUILDKIT_DOCKERFILE_CHECK=skip=all", # disable linting (https://github.com/moby/buildkit/pull/4962)
 						"--sbom=generator=\"$BASHBREW_BUILDKIT_SBOM_GENERATOR\"",
-						"--output 'type=oci,tar=false,dest=sbom'",
+						"--output 'type=oci,tar=false,dest=sbom,rewrite-timestamp=true'",
 						# TODO also add appropriate "--tag" lines (which would give us a mostly correct "subject" block in the generated SBOM, but we'd then need to replace instances of ${sbomImageManifest#*:} with ${originalImageManifest#*:} for their values to be correct)
 						@sh "--platform \(.source.arches[.build.arch].platformString)",
 						"--build-context \"fake=oci-layout://$PWD/temp@$originalImageManifest\"",